[OTR-users] gaim 2.0

Thu Nov 17 15:03:54 EST 2005

>
> It may not provide the same deniability aspects

the third type of mikey key agreement uses signed diffie-hellman
"half-keys", like otr. perfect forward secrecy, and plausible deniability.
granted though, it may not use a type of aes where a substitution is
plausible. of course, your voice is hard to deny anyway.

> and if the D-H is only done once
>
per session, your forward secrecy window may be very large.

rfc 3711 <http://www.networksorcery.com/enp/rfc/rfc3711.txt> states:

SRTP provides for some additional features. They have been
introduced to lighten the burden on key management and to
further increase security. They include:

* A single "master key" can provide keying material for
confidentiality and integrity protection, both for the SRTP stream
and the corresponding SRTCP stream. This is achieved with a key
derivation function (see Section 4.3), providing "session keys"
for the respective security primitive, securely derived from the
master key.

* In addition, the key derivation can be configured to periodically
refresh the session keys, which limits the amount of ciphertext
produced by a fixed key, available for an adversary to
cryptanalyze.

* "Salting keys" are used to protect against pre-computation and
time-memory tradeoff attacks [MF00] [BS00].

It may not even provide authentication!

mikey has three key agreement schemes, the third of which is similar to OTR,
in that diffie-hellman is used with signed "half keys". the frustrating
thing though, is that it uses "certificates", which have to be verifiable
with some cert authority presumably. my feeling is that it should work like
OTR, where even if you don't verify the fingerprint, it still "works", but
just says "unauthenticated". and if you push some button on your phone, you
can view either your session id hash or your fingerprint, and speak it to
someone whose voice you know, to rule out a mim. one frustrating feature of
minisip, is that it won't let you choose that type of mikey key agreement
without putting in a digital cert first. argghhhhh..

this document<http://www.ietf.org/internet-drafts/draft-ietf-msec-mikey-dhhmac-11.txt>describes
some alteration of this third scheme, to avoid the need for public
keys. but i don't know how "keyed hashes" can remove the need for some sort
of digital signature of the public dh generator "half keys".

otr is fine and all, but when i get a little money saved up, and really get
my underground anti-government resistance up and running, i want hard core
deniable authenticated sip calls. i just wish the people behind srtp/mikey
were as brilliant as you, ian.

and back to the gaim issue. i guess their sip support will just be for text
atm. funny, since instant messaging in sip is more of an afterthought, and
nowhere near as robust as jabber. their voice support will be compatible
with google talk..a proprietary system that google promises to switch to sip
eventually anyway. argghhhh.

thanks for the response,
clay
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.cypherpunks.ca/pipermail/otr-users/attachments/20051117/10c6d5d7/attachment.html>